stats values

vumanhtai · ‎03-24-2020

Hi Splunk Team!
i have a query: index=mail sourcetype=webmail | stats values(time) as time values(severity) as severity values(email) as email values(status) by session_ID
Results as shown in a picture
i want to show result of values (severity) greater than 2 values?
how can i do it?
Thanks!

gcusello · ‎03-24-2020

Hi @vumanhtai,
let me understand, do you want to have session_IDs where:

there's a severity value greater than 2,
there are more than 2 different severity values?

In the first case, try this:

index=mail sourcetype=webmail 
| stats values(time) as time maxs(severity) as severity values(email) as email values(status) by session_ID
| where severity>2

In the second case, try this:

index=mail sourcetype=webmail 
| stats values(time) as time values(severity) as severity dc(severity) as dc_severity values(email) as email values(status) by session_ID
| where dc_severity>2

Ciao.
Giuseppe

vumanhtai · ‎03-24-2020

thank you
kamlesh_vaghela's answer helped me solve this problem

kamlesh_vaghela · ‎03-24-2020

@vumanhtai

Are you looking for this?

YOUR_SEARCH | where mvcount(severity) > 2

vumanhtai · ‎03-24-2020

Thank you so much!

kamlesh_vaghela · ‎03-24-2020

@vumanhtai

Glad to help you. Please accept this answer to close this question.

stats values

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...